Abstract
Cloud based services are gaining popularity across the globe and there is a growing interest to adopt the cloud for operational efficiency, green computing initiatives and service agility. However, concerns of security and risks in the Cloud are important constraints to reaping the benefits of Cloud Computing. Controlling the threats and vulnerabilities of Cloud based IT Services are prime necessities with proper policies and guidance from the Business Leadership or Board. While Business is concentrating on cost reduction as a primary enabler for adopting Cloud based Services, there is a growing need for exercising effective Governance and Risk Management to mitigate security risks and to exercise control over data in the Cloud. This chapter discusses how Governance and Risk Management domain (GRM) of Cloud Controls Matrix (CSA CCM) V3 Framework from Cloud Security Alliance (CSA) and the ISO/IEC 38500:2008 standard for IT Governance can be utilized together for an effective Governance and Risk Management of Cloud Services.
TopIntroduction
Cloud Computing is gradually gaining significance as an effective IT Service Delivery methodology with every passing year and there is growing interest among the Business Owners and IT Service Providers to embrace the Cloud. According to Gartner Inc.’s Hype Cycle for Cloud Computing (2013), Cloud Computing is gradually moving towards the Slope of Enlightenment, as shown in Figure 1, with its growing popularity and two key technology concepts related to the Cloud – Virtualization and Software as a Service (SaaS) are approaching the Plateau of Productivity. However, Cloud based IT Services are not free from security threats and vulnerability issues. In fact, if an organization overlooks the risks from security threats while moving to the Cloud and if it does not have proper governance mechanism to mitigate the risks then the Return on Investment in Cloud can have a negative impact that can reduce the tangible benefits and might even lead to a catastrophe.
Figure 1. Hype Cycle for Cloud Computing (Gartner, 2013) .
TopEssential Characteristics Of Cloud Computing
According to Mell and Grance (2011), NIST (National Institute of Standards and Technology, U.S.A.) has ascribed five essential characteristics to Cloud Computing. These are:
- 1)
On-demand self-service - The Cloud Service Provider (CSP) should have the ability to automatically provision computing capabilities, such as server and network storage, as needed without requiring human interaction with the CSP.
- 2)
Rapid elasticity - The computing capabilities should be rapidly and elastically provisioned with minimal response time, to scale out or scale in quickly.
- 3)
Broad network access - The cloud network should be accessible anywhere and by almost any device.
- 4)
Resource pooling - The CSP’s computing resources can be pooled to serve multiple customers using a multi-tenant model with allocation and de-allocation of physical and virtual resources dynamically on demand irrespective of location of the physical and virtual resources (across geographies).
- 5)
Measured service - Cloud systems should provide a utility based computing experience where the resource usage can be monitored, controlled and reported providing transparency to the CSP and customer.
Key Terms in this Chapter
Cloud Governance Matrix: It maps the six governance principles of ISO/IEC 38500:2008 to the 12 Control IDs of CSA CCM V3 GRM control domain to provide a unified matrix for Governance and |Risk Management of Cloud Services.
Cloud Services: A cloud service is any computing resource that is provided over the Internet. The three basic cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
Virtualization: Virtualization is a software technology that uses a physical resource, such as a server, and divides it into virtual resources called virtual machines (VMs). Virtualization helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
SIEM: Security information and event management (SIEM) is a term for software products and services that combines security information management and security event management and is mostly tool based technology that provides real-time analysis of information system security alerts.
Cloud Controls Matrix: Cloud Controls Matrix (CCM) is a Framework from Cloud Security Alliance that provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud service.
SLA: Service Level agreement (SLA) is a contract between a service provider (e.g. - a Cloud Service Provider) and the end user that defines the level of service expected by the end user from the service provider.
Hype Cycle: The Hype Cycle branded by Gartner Inc. represents the evolving maturity, adoption and social application of emerging technologies.